CVE-2026-45659
An insecure deserialization vulnerability in Microsoft Office SharePoint allows an authorized attacker to execute arbitrary code over a network.
Critical vulnerabilities, curated daily for security professionals
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Apache Camel dominates yesterday's disclosures with six critical vulnerabilities rated CVSS 9.1-9.8, including CVE-2026-46454, CVE-2026-48204, and CVE-2026-56140 affecting core components and the AWS2 SNS integration. In total, 35 critical CVEs were disclosed, up from 3 the prior day, alongside 86 high-priority CVEs, up from 20. Beyond the Camel cluster, Coollabsio Coolify carries two CVSS 9.9 flaws (CVE-2026-34037, CVE-2026-34038), and WordPress plugins are also affected, with WPFunnels (CVE-2026-14345, CVSS 9.8) and a file manager plugin family (CVE-2026-6382, CVSS 9.1) among the top issues. The pattern skews toward integration frameworks, self-hosted deployment platforms, and WordPress plugin ecosystems, with remote code execution and unauthorized access as the primary risks; one Microsoft SharePoint vulnerability (CVE-2026-45659) has confirmed active exploitation. Patch availability currently stands at 0% for this set, so teams should track vendor advisories closely and apply compensating controls where updates are not yet published.
Immediate action: Teams running Apache Camel, Coolify, or the affected WordPress plugins should inventory exposed instances now and monitor vendor advisories for fixes, prioritizing internet-facing integration endpoints. Organizations using Microsoft SharePoint should apply available mitigations for CVE-2026-45659 immediately given confirmed active exploitation. With patch availability at 0% for the broader set, apply compensating controls such as network restrictions and WAF rules until vendor updates ship.
CVSS score (e.g. 9.1) — severity from 0–10. Red marks critical (9+), orange high (7–8.9).
Exploitability — how hard the flaw is to attack, read from the CVSS vector:
The lower the bar on all three, the easier to exploit at scale — “Network · No privileges · No interaction” is the worst case: hit from anywhere, no credentials, no victim action.
🔴 Actively exploited — confirmed under attack in the wild (CISA’s Known Exploited Vulnerabilities catalog). Prioritize these regardless of score.
EPSS · Nth percentile — FIRST.org’s estimated chance a flaw is exploited within 30 days. We flag it only in the top 10% — a statistical signal it’s unusually likely to be targeted, separate from whether attacks are confirmed.
An insecure deserialization vulnerability in Microsoft Office SharePoint allows an authorized attacker to execute arbitrary code over a network.
The WPFunnels WordPress plugin is vulnerable to unauthenticated remote code execution due to improper sanitization of log data combined with unsafe file inclusion.
The Apache Camel Cometd component is vulnerable to improper input validation, allowing unauthenticated remote attackers to inject control headers and influence downstream route behavior.
An SSRF vulnerability in Apache Camel DNS allows unauthenticated attackers to perform internal network reconnaissance and potentially interact with attacker-controlled DNS servers.
A deserialization vulnerability in the Apache Camel PQC component allows attackers with write access to AWS Secrets Manager to execute arbitrary code via crafted serialized objects.
An authorization bypass vulnerability in Coolify allows authenticated users to access and manipulate resources belonging to other tenants.
Coolify contains an authenticated remote command injection vulnerability in application deployment handling, allowing remote code execution and sensitive data exfiltration.
Several WordPress file management plugins are vulnerable to OS Command Injection when processing images, allowing authenticated users with administrative privileges to execute arbitrary commands.
Improper input validation in the Apache Camel AWS2-SQS component allows attackers to inject arbitrary control headers, potentially hijacking downstream route behavior.
An input validation vulnerability in the Apache Camel MongoDB GridFS component allows unauthenticated remote attackers to perform unauthorized operations or NoSQL injection via crafted HTTP headers.
A defense-in-depth hardening change was applied to the Apache Camel AWS2 SNS component to align header filtering strategies, despite no known exploit path existing for this producer-only component.
An argument injection vulnerability in the Apache Camel Docling component allows attackers to inject malicious CLI flags and perform directory traversal via improperly sanitized exchange headers.
The Apache Camel Solr component is vulnerable to SSRF and parameter injection due to improper header validation, allowing unauthenticated attackers to manipulate requests via crafted HTTP headers.
Adobe ColdFusion is susceptible to an improper input validation vulnerability that allows an unauthenticated remote attacker to execute arbitrary code.
ownCloud Core contains an exposed dangerous method in the Updater, allowing an authenticated administrator to achieve arbitrary code execution.
FOSSBilling contains an unauthenticated payment bypass vulnerability in the IPN callback endpoint, allowing attackers to mark invoices as paid without actual payment.
The Apache Camel Keycloak component fails to properly validate token expiration and 'not-before' claims, allowing the acceptance of expired or invalid access tokens.
Coolify terminal WebSocket routes fail to enforce authorization, allowing authenticated users to access and execute commands on unauthorized resources.
Coolify terminal WebSocket routes fail to enforce team-based authorization, enabling low-privileged team members to execute commands on servers belonging to other teams.
Apache IoTDB contains an authentication bypass vulnerability in its Thrift RPC handlers, allowing unauthenticated attackers to spoof session IDs and access query results.
A path traversal vulnerability in the Apache IoTDB DataNode RPC interface allows unauthenticated attackers to perform arbitrary file writes.
Crawl4ai is vulnerable to command injection via the Docker API, allowing unauthenticated attackers to execute arbitrary commands on the host by injecting malicious Chromium launch arguments.
An improper authorization vulnerability in the Plesk XML API allows authenticated users to inject configuration directives, leading to arbitrary file writes and full root privilege escalation.
A critical authentication bypass vulnerability in the default SFTP server component of multiple Ciena products allows remote, unauthenticated attackers to gain unauthorized access to the filesystem.
A pre-authentication vulnerability in the BeyondTrust Remote Support and Privileged Remote Access authentication subsystem allows attackers to bypass access controls.
A pre-authentication vulnerability in BeyondTrust Remote Support and Privileged Remote Access allows unauthenticated attackers to bypass access controls and gain unauthorized administrative access.
A path traversal vulnerability in crawl4ai allows attackers to perform arbitrary file writes by injecting malicious filenames during the crawling process, potentially leading to remote code execution.
ArcGIS Server is affected by a directory traversal vulnerability that allows unauthenticated attackers to access sensitive files on the host system via crafted path parameters.
An authenticated cross-tenant authorization bypass in Adiss Biloop allows users to access or modify data belonging to other companies by manipulating the company ID parameter.
An improper authorization flaw in the OAuth sign-in callback mechanism allows attackers to silently re-enable previously disabled administrator accounts.
Gitea versions before 1.26.0 fail to handle errors correctly during pre-receive hook processing, allowing attackers to bypass branch-protection checks using oversized input.
A use-after-free vulnerability in libcurl allows potential memory corruption via manipulated HTTP/2 stream dependency configurations during handle cleanup.
A security flaw in Gitea allows unauthorized users to bypass token scope checks when downloading repository archives via the web interface.
A vulnerability in Gitea 1.26.2 allows unauthorized data access by failing to terminate fork synchronization when a parent repository transitions from public to private visibility.
The Perl module Net::IP::LPM allows a heap out-of-bounds read due to improper validation of prefix lengths in the add() function.
A Server-Side Request Forgery (SSRF) vulnerability in the Anti-Virus for ownCloud application allows high-privileged users to trigger unauthorized requests from the server.
A path traversal vulnerability in Apache Airflow's Google provider allows attackers to potentially write files to unauthorized locations due to insufficient sanitization of GCS object names.
An untrusted Java deserialization vulnerability exists in the Apache OpenNLP SvmDoccatModel component, potentially allowing arbitrary code execution.
Coolify is vulnerable to OS Command Injection, allowing an authenticated user to execute arbitrary commands on the underlying host system.
Coolify contains an OS command injection vulnerability that allows an authenticated user to execute arbitrary commands on the host server.
Coolify is susceptible to an OS command injection vulnerability, enabling authenticated users to perform unauthorized command execution on the host machine.
Coolify is susceptible to an OS Command Injection vulnerability that allows authenticated attackers to execute arbitrary system commands on the host server.
Coolify contains an OS Command Injection vulnerability allowing authenticated attackers to execute arbitrary commands on the host system via improper input neutralization.
Coolify is vulnerable to OS Command Injection, enabling authenticated attackers to execute arbitrary system commands through insecure input handling.
Coolify is vulnerable to OS Command Injection, allowing authenticated users to execute arbitrary commands on the underlying host system.
Coolify is susceptible to an OS Command Injection vulnerability, permitting authenticated users to execute arbitrary commands on the host server.
Coolify contains a path traversal vulnerability that allows authenticated users to access or manipulate restricted files on the server.
Coolify is susceptible to an OS Command Injection vulnerability, allowing authenticated attackers to execute arbitrary system commands on the host server.
Coolify contains an OS command injection vulnerability that allows authenticated users to execute arbitrary system commands via improper input neutralization.
Coolify is vulnerable to an OS command injection flaw, allowing authenticated attackers to execute arbitrary code on the host operating system.
Coolify is susceptible to OS command injection, allowing authenticated attackers to execute arbitrary system commands via improper neutralization of special elements.
Coolify is vulnerable to a Cross-Site Request Forgery (CSRF) attack, which could allow an unauthorized party to perform actions on behalf of an authenticated user.
Coolify is affected by an authorization bypass vulnerability, allowing authenticated users to access resources they are not permitted to view via user-controlled keys.
The Apache Camel PQC component is susceptible to a Deserialization of Untrusted Data vulnerability, potentially allowing remote code execution if exploited.
The Apache Camel CXF SOAP component is vulnerable to an Improper Input Validation and 'Confused Deputy' issue, allowing unauthenticated attackers to bypass security controls.
An improper privilege management vulnerability in the AllCoach WordPress plugin allows authenticated users with lower privileges to perform unauthorized actions.
The Simple Membership WordPress plugin contains a Cross-Site Scripting (XSS) vulnerability, allowing unauthenticated attackers to execute malicious scripts in the context of a user's browser.
The FileOrganizer WordPress plugin contains an Unrestricted Upload of File with Dangerous Type vulnerability, enabling authenticated users to upload arbitrary files to the server.
Apache Camel is susceptible to an untrusted Java deserialization vulnerability, which could allow an attacker to achieve full system compromise.
A deserialization of untrusted data vulnerability exists in Apache Camel, potentially allowing unauthorized attackers to gain control over the system.
A deserialization of untrusted data vulnerability exists in the Apache Camel Hazelcast component, potentially allowing remote code execution.
The Admin and Site Enhancements (ASE) WordPress plugin is susceptible to an Improper Privilege Management vulnerability, which can lead to unauthorized access or privilege escalation.
The Ultimate Member WordPress plugin is vulnerable to Cross-Site Scripting (XSS) due to insufficient input sanitization, allowing authenticated attackers to execute malicious scripts.
A Deserialization of Untrusted Data vulnerability exists in the Apache Camel JMS component, allowing potential remote code execution or data manipulation.
A vulnerability in the vLLM inference engine allows for potential denial-of-service attacks due to inefficient regular expression complexity.
The Elixir-Mint HPAX library contains an inefficient algorithmic complexity vulnerability allowing unauthenticated denial-of-service via unbounded HPACK integer decoding.
A path traversal vulnerability in the Notifications for Forms & WordPress Actions plugin allows authenticated users to access or manipulate restricted files.
The pgjdbc PostgreSQL JDBC driver is susceptible to an algorithm downgrade vulnerability, failing to secure connections during the negotiation process.
An improper neutralization of special elements in data query logic exists in the Apache Camel Neo4J component, enabling potential query injection.
A flaw in Red Hat Advanced Cluster Security (RHACS) allows an authenticated user to perform uncontrolled resource consumption via the GraphQL API, potentially causing a denial-of-service.
A vulnerability in the vLLM inference engine allows unauthenticated attackers to trigger a denial-of-service via improper input validation of specified quantities.
A missing authorization vulnerability in the embedded webserver of HP 2800 Series Printers permits unauthenticated access to sensitive configuration or status data.
Apache IoTDB is vulnerable to an uncontrolled resource consumption flaw, which can be triggered by unauthenticated attackers to cause a denial-of-service.
An improper input validation vulnerability exists in the Apache Camel NATS component, which may allow for unauthorized data processing.
The Apache Camel Lucene component contains an improper input validation vulnerability that allows for authorization bypass via user-controlled keys.
A Server-Side Request Forgery (SSRF) and information exposure vulnerability exists in the Apache Camel Vertx Websocket component due to improper input validation.
The Apache Camel Iggy component is affected by improper input validation, resulting in SSRF and the exposure of sensitive information to unauthorized actors.
Apache Camel is susceptible to an Improper Input Validation vulnerability, potentially allowing unauthenticated remote attackers to impact system integrity and availability.
A critical improper input validation vulnerability in Apache Camel allows unauthenticated attackers to potentially perform unauthorized operations on the affected system.
Apache Camel suffers from an improper input validation vulnerability that could be exploited by unauthenticated remote attackers.
The Pillow imaging library is vulnerable to memory allocation issues when processing images with excessive size values, potentially leading to denial-of-service.
Pillow is vulnerable to a memory allocation issue where an attacker can trigger excessive memory consumption, leading to a denial-of-service condition.
Pillow is vulnerable to a memory allocation issue where an attacker can trigger excessive memory consumption, leading to a denial-of-service condition.
Pillow is vulnerable to a memory allocation issue where an attacker can trigger excessive memory consumption, leading to a denial-of-service condition.
A pre-authentication vulnerability in the network communication subsystem of BeyondTrust Remote Support and Privileged Remote Access allows for uncontrolled resource consumption.
The throttling event handling mechanism in multiple WSO2 products fails to properly validate user-supplied JSON payloads, leading to potential denial-of-service conditions.
A vulnerability in the web application component of BeyondTrust Remote Support and Privileged Remote Access allows authenticated users to exploit improper neutralization of data query logic.
The metrics-service component in Amazon MCP Gateway & Registry is vulnerable to SQL injection within its retention policy management functionality.
The JSON-RPC API in Leantime contains an authorization bypass that allows authenticated users to retrieve sensitive credential information from other accounts.
Traefik is susceptible to multiple vulnerabilities involving improper case sensitivity handling and authentication bypass, potentially leading to unauthorized data access.
The Gitea Notification API leaks private issue metadata even after access has been revoked, resulting in an information disclosure vulnerability.
FOSSBilling is susceptible to a code injection vulnerability, allowing an authenticated administrator to execute arbitrary code within the application environment.
MicroRealEstate is affected by an authentication bypass vulnerability stemming from insufficient management of token states.
Qualcomm Snapdragon chipsets contain a stack-based buffer overflow vulnerability during the processing of HT40 channel layouts.
FOSSBilling contains multiple authorization and information exposure vulnerabilities allowing authenticated users to bypass security controls and access sensitive data.
FOSSBilling suffers from an insufficient session expiration vulnerability, which may allow attackers to maintain unauthorized access to user sessions.
The Elixir-Mint Mint library is vulnerable to resource exhaustion due to a lack of limits or throttling on resource allocation during network operations.
FOSSBilling is susceptible to an authorization bypass via user-controlled keys, allowing authenticated users to access or modify data they are not authorized to view or manage.
Crawl4AI is vulnerable to Server-Side Request Forgery (SSRF) due to insufficient validation of user-supplied URLs, allowing unauthenticated attackers to probe internal network resources.
FOSSBilling contains an improper privilege management vulnerability, allowing authenticated users to escalate their privileges and perform unauthorized administrative actions.
The SharePoint for ownCloud application is susceptible to Server-Side Request Forgery (SSRF), allowing an authenticated user to perform unauthorized requests from the server.
A Server-Side Request Forgery (SSRF) vulnerability in SUSE Rancher Fleet allows for the forgery of unauthenticated webhook requests.
The Armiya Information Technologies Access Control System (GKS) contains a missing authorization flaw, allowing unauthenticated remote attackers to potentially access restricted system functions.
The DrawIO for ownCloud application is vulnerable to Stored Cross-Site Scripting (XSS), which may allow an authenticated user to execute arbitrary scripts in the context of another user's session.
pnpm is affected by a path traversal vulnerability that may allow for unauthorized file system operations.
Leantime contains an OIDC login CSRF vulnerability in the verifyState() method that fails to properly validate state parameters.
ownCloud 10 is susceptible to a relative path traversal vulnerability that could allow unauthorized access to the file system.
A memory corruption vulnerability exists in Qualcomm Snapdragon components due to improper buffer handling during memory allocation.
A race condition in Qualcomm Snapdragon components allows memory corruption due to improper handling of parameters between check and use.
A weak password recovery mechanism in FOSSBilling allows unauthenticated attackers to potentially compromise user accounts.
A path traversal vulnerability in HashiCorp Terraform Enterprise during VCS registry module ingestion allows for unauthorized file reads.
FOSSBilling is susceptible to missing authentication and incorrect authorization vulnerabilities, potentially allowing unauthenticated attackers to manipulate critical system functions.
An untrusted search path vulnerability in B&R Industrial Automation APROL allows local authenticated users to escalate privileges by manipulating the application's search environment.
Idvlabs Ontime contains an authorization bypass vulnerability via a user-controlled key, allowing unauthenticated attackers to access sensitive data.
An authorization bypass vulnerability in Idvlabs Ontime allows unauthenticated attackers to access sensitive data via user-controlled keys.
An improper authentication flaw in Genetec Security Center 5 allows unauthenticated attackers to potentially retrieve live video streams.
A memory management flaw in Imager::File::JPEG allows an attacker to cause a denial-of-service condition through improper memory release.
An improper certificate validation vulnerability in B&R Industrial Automation's APROL allows potential security bypasses.
An integer overflow vulnerability exists in the GIMP PSD parser, which may lead to memory corruption when processing malformed image files.
An off-by-one error in GIMP's PNM file format parser may cause memory corruption when processing malformed files.
A SQL injection vulnerability in the add_event.php file of Code-Projects Hotel and Tourism Reservation 1.0 allows for remote, unauthenticated database manipulation.
An unauthenticated Regular Expression Denial of Service (ReDoS) vulnerability exists in Gitea's CODEOWNERS pattern matching, allowing attackers to cause excessive resource consumption.